Overview
Two local security vulnerabilities have been identified in Sunshine for Windows, version v2025.122.141614 (and likely prior versions). These issues could allow attackers to execute arbitrary code and escalate privileges on affected systems.
Description
Sunshine is a self-hosted game stream host for Moonlight.
-
CVE-2025-10198 Unquoted Service Path (CWE-428)
Sunshine for Windows installs a service with an unquoted service path. This allows an attacker with local access to place a malicious executable in a directory within the service path (before the legitimate binary), which could then be executed with elevated privileges during system startup or service restart. -
CVE-2025-10199 DLL Search-Order Hijacking (CWE-427)
Sunshine for Windows does not properly control the search path for required DLLs. This allows an attacker to place a malicious DLL in a user-writable directory that is included in the PATH environment variable. When the application loads, it may inadvertently load the malicious DLL, resulting in arbitrary code execution.
Impact
- CVE-2025-10198 Attackers with local access can escalate privileges to SYSTEM, resulting in full compromise of the affected machine.
- CVE-2025-10199 Attackers can execute malicious code in the context of the user running the application.
Solution
Apply an update from the Sunshine project once available.
As mitigation, until a patch is released:
-
Ensure user-writable directories are not included in the PATH environment variable.
-
Quote all service paths in Windows service configurations.
-
Restrict permissions on service-related directories to prevent unauthorized file placement.
Acknowledgements
Thanks to the reporter, Pundhapat Sichamnong. This document was written by Timur Snoke.
Other Information
| CVE IDs: |
CVE-2025-10198 CVE-2025-10199 |
| API URL: | VINCE JSON | CSAF |
| Date Public: | 2025-09-10 |
| Date First Published: | |
| Date Last Updated: | 2025-09-10 18:20 UTC |
| Document Revision: | 1 |
Recent Posts
-
VU#974249: Elevated Privileges and Arbitrary Code Execution issues in Sunshine for Windows v2025.122.141614
-
VU#763183: Amp’ed RF BT-AP 111 Bluetooth access point lacks an authentication mechanism
-
VU#461364: Hiawatha open-source web server has multiple vulnerabilities
-
VU#706118: Workhorse Software Services, Inc. software prior to version 1.9.4.48019, default deployment is vulnerable to multiple issues.
-
VU#209095: SMM Memory Corruption Vulnerability in the AMI Aptio’s SMM Module Across Multiple Devices